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Abstract 


In air traffic management, a pairwise conflict is a predicted loss of separation between 
two aircraft, referred to as the ownship and the intruder. A conflict prevention bands 
system computes ranges of maneuvers for the ownship that characterize regions in 
the airspace that are either conflict-free or “don’t go” zones that the ownwhip has 
to avoid. Conflict prevention bands are surprisingly difficult to define and analyze. 
Errors in the calculation of prevention bands may result in incorrect separation 
assurance information being displayed to pilots or air traffic controllers. This paper 
presents provably correct 3-dimensional prevention bands algorithms for ranges of 
track angle, ground speed, and vertical speed maneuvers. The algorithms have been 
mechanically verified in the Prototype Verification System (PVS). The verification 
presented in this paper extends in a non-trivial way that of previously published 
2-dimensional algorithms. 
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Figure 1. A graphical display of prevention bands algorithms for track angle, ground 
speed, and vertical speed 

1 Introduction 

In air traffic management, a (pairwise) conflict is a predicted loss of separation 
between two aircraft within a lookahead time. One of the aircraft is called the 
ownship and the other aircraft, which represents an arbitrary traffic aircraft, is 
called the intruder. 

A conflict prevention system consists of algorithms that sense traffic aircraft and 
characterize ranges of maneuvers for the ownship that are either conflict-free or that 
lead to conflict. The maneuvers are typically constrained to those where only one 
parameter of the ownship’s velocity is varied at a time: track angle, vertical speed, 
or ground speed. 

More precisely, a (pairwise) prevention bands algorithm, for a given parameter 
such as track angle, ground speed, or vertical speed, has as input the state infor- 
mation of the ownship and intruder aircraft, i.e., their 3-dimensional position and 
velocity vectors. It returns a list of regions, called bands , consisting of values for 
the specified parameter. There is a natural way to associate a color, either red or 
green, to each band. Red bands specify “don’t go” zones, i.e., parameter values that 
the ownship has to avoid because they lead to conflict. Conversely, the green bands 
specify parameter values for the ownship that yield conflict-free maneuvers. 

Figure 1 illustrates in a graphical display prevention bands for the ownship for 
track angle, ground speed, and vertical speed maneuvers. Given the current position 
and velocity vectors of the aircraft, the displayed bands in Figure 1 indicate that the 
aircraft will be in conflict if, for instance, the ownship maneuvers to a track angle of 
45°, to a ground speed of 300 knots, or to a vertical speed of 0 feet per min. On the 
other hand, if the ownship maneuvers to any value in the green regions the aircraft 
will be conflict-free. 

A pairwise prevention bands algorithm is correct if every possible value for the 
chosen parameter is either contained in a band or is a boundary point of one of the 
bands, and if the colors of the bands characterize conflict as follows. For all bands B 
and parameter values x £ B, the ownship’s maneuver corresponding to the value x 
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is in conflict with the traffic aircraft if and only if the color of B is red. Equivalently, 
the ownship’s maneuver corresponding to x is not in conflict if and only if the color 
of B is green. 

Conflict prevention bands are surprisingly difficult to define and analyze [1]. 
The formal verification of a prevention bands algorithm for horizontal conflicts was 
described in [2]. Three-dimensional prevention bands algorithms were presented, 
without correctness proofs, in [3]. The 3-dimensional algorithms presented in that 
paper compute incorrect bands for some special cases. This paper presents correct 
versions of the prevention bands algorithms originally proposed in [3]. The correct- 
ness properties of these new algorithms have been formally verified in the Prototype 
Verification Systems (PVS) [4]. 

This paper focuses on pairwise algorithms, i.e., it considers only one traffic air- 
craft: the intruder. Prevention bands algorithms for an arbitrary number of traffic 
aircraft can be obtained from a pairwise algorithm by simply letting the red region 
for 7 ?-aircraft be the union of the red regions computed for the ownship and each 
individual traffic aircraft. The green regions can be computed as the complement of 
the red ones. The correctness of the algorithms for n-aircraft can be easily derived 
from the correctness of the pairwise prevention bands algorithms. 

Notation 

The mathematical development presented in this paper has been fully formalized 
in PVS. 1 However, for readability, this paper uses standard mathematical notation 
instead of PVS syntax. 

Vector variables are written in boldface letters and can denoted by their compo- 
nents. For example, if w E R’ 3 and u E R 2 , then w = (w x , w y , w~) and u = (u x , u^). 
The notation W( x ,y) denotes the projection of w in the horizontal plane, i.e., 2 

W (x , y) = (W*,W „), 

and the notation u with [z <— r] denotes the 3-dimensional vector whose projection 
to R 2 is u and whose ^-coefficient is r E R, i.e., 

u with [z <-r\ = (u x ,u y ,r). 

As usual, the notation ||w|| refers to the norm of the vector w and the notation 
w * w' refers to the dot product of the vectors w and w'. The expression 0 represents 
the zero vector, e.g., the vector whose components are 0. 

If ueR 2 , then u 1 denotes the (right) perpendicular vector: 

u± = (u»,-u*). 

From this definition, it can be easily proven that u • u^~ = 0. Furthermore, if u is 
nonzero, then the vector w E R 2 can be written as a linear combination of u and 
u 1 in the following way: 

w = ^jp(( u ' w ) u + ( u± ' w ) u± )- (b 

1 Electronically avaialable from http://shemesh.larc.nasa.gov/people/cam/ACCoRD. 

2 The symbol = is used in this paper to introduce mathematical definitions. 
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The function sign: R t— > {—1,1} is defined such that sign(x) = 1 if x > 0 and 
sign(:r) = — 1 otherwise. As usual in mathematics, i — ±1 denotes the fact that 
an integer l belongs to the set {—1,1}. Moreover, denote logical 

negation, implication, and equivalence, respectively. 

Finally, by convention, names of predicates and functions used in the specifica- 
tion of the problem are written in italics. Functions that represent algorithms to be 
implemented in a programming language are written in typewriter font. 

2 Statement of the Problem 

The prevention bands algorithms discussed here only use state-based information 
for the two aircraft, i.e., constant position and velocity vectors that are elements of 
the 3-dimensional Euclidean space R 3 . Aircraft dynamics are represented by a point 
moving at constant linear speed. These approximations of real aircraft behavior are 
valid for short lookahead times (typically less than 5 minutes). The current state of 
the ownship and traffic aircraft are denoted by the following vectors. 


s 0 G R 3 

Initial position of the ownship aircraft 

Vo G R 3 

Initial velocity of the ownship aircraft 

Si G R 3 

Initial position of the traffic aircraft 

Vj G M 3 

Initial velocity of the traffic aircraft 


In the airspace system, the separation criterion for two aircraft is specified as a 
minimum horizontal separation D and a minimum vertical separation H . A conflict 
between the ownship and the intruder occurs when there is a time in the future, 
within a lookahead time T, such that the horizontal distance between the aircraft 
is less than D, and the vertical distance is less than H. Typically, D is 5 nautical 
miles, H is 1000 feet, and T is 5 minutes. 

For the remainder of the paper, it is assumed that the ground speeds of the 
ownship and intruder aircraft are not zero, i.e., both ||v 0 ( a: 2/ )|| ^ 0 and ^ 0 

hold, and that the aircraft are not in loss of separation, i.e., either ||s 0 ( iT;2/ ) — sq^) || > 
D or |s oz — Si z \ > H hold. Therefore, 


Vo(x,y) 7 ^ 

^i(x.y) 7 ^ 0 ? 

S 0 S^ ^ 0. 

As noted in the introduction, the possible maneuvers considered for the ownship 
are constrained to those where only one parameter of the ownship’s velocity vector 
is varied, e.g., track angle, ground speed, or vertical speed. 

2.1 Conflicts 

The ownship and the intruder aircraft are in conflict if there exists t G [0, T] such 
that, at time £, vertical separation is lost, i.e, 

|((s 0 + t v G ) - (s i + t Vj)) 2 | < H, 
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and horizontal separation is lost, i.e., 

II (So + * v °)(z,y) - (Si + t ▼<)(*,») || < D. 

Since (s Q +t v 0 ) — (si+t v*) = (s 0 —s i)+t (v 0 — v*), the predicate that characterizes 
conflict can be defined on s = s G — s* and v = v G — v$, the relative position and 
velocity vector, respectively, of the ownship with respect to the intruder. 

That is, conflict can be viewed as a predicate of two vectors s and v rather than 
a predicate of four vectors s G , v 0 , s*, and v*, a result that greatly simplifies the 
notation. Thus, the predicate conflict? can be formally defined as follows. 

conflict?^ s,v) = 3t G [0, T] : |(s + fv) z | < H and 

ll s (x, 2 /) + ^ Y (x,y) II < D. 

For the remainder of this paper, the relative position and velocity vectors, s and v, 
will be used in place of s 0 — s i and v G — v*, respectively. 

The separation criterion can be understood as an imaginary cylinder of height H 
and diameter D around each aircraft and a conflict between two aircraft as a future 
overlapping of these cylinders. In this paper, an alternative but equivalent view is 
considered where the intruder is surrounded by a cylinder, called protected zone , of 
half- height H and radius D. From this perspective, a conflict between these two 
aircraft is equivalent to the existence of a time t E [0,T] at which the ownship is in 
the interior of the intruder’s protected zone. 

2.2 Track Angle, Ground Speed, and Vertical Speed Maneuvers 

A maneuver for the ownship is a new velocity vector that is implemented by the 
aircraft in zero time. Track angle, ground speed, and vertical speed maneuvers are 
formally defined as follows. 

• A track angle maneuver for the ownship is a velocity vector v' Q such that 
ll v o(x, 2 /)|| — |l v o(a;,?/)|| and v' oz = v oz - In this case, there exists a function 
track: R 3 R that computes a real number a = track(v^), called the track 
angle of v^, such that 

V 0 (x,y) = ( II v o(a;, 2 /) || s ni U, 1 1 Vo(x,y) || COS Of). 

The function track is easily defined using the arc tangent function and the 
signs of \' ox and v' oy . 

• A ground speed maneuver for the ownship is a velocity vector V Q such that 
Y o(x,y) an d v o(x,y) are parallel (have the same track angle) and v' oz = v oz . In 
this case, there exists a real number p with the property that 

v o = (-M— — rrv^, V oz ). 

1 1 v o(a;, 2 /) II \\ Y o(x,y) || 

The number p is the ground speed of v 0 , i.e., Hv'^^H = p. 
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• A vertical speed maneuver for the ownship is a velocity vector such that 
v' 0 (x,y) — Y o( x ,y)’> i*e., the horizontal velocity vectors are equal. In this case, 
there exists a real number r, called the vertical speed of such that 

v„ = (v ox , v oy , r). 

The functions t'trk , t'gs , ^vs : R i— > K 3 , implicitly parametrized by v 0 , are defined 
as follows. 


^trk( a ) — (|| v o(x,y) 

V 


'gs 


(p) = (i 


II v o(x,y) || 
^vs(^) — (y oxiVoy, 


sin a, \\v 0 fay)\\ cos a, v oz ), 
P \ 

" v ox? II II Voyi Vozji 

1 1 v o(cc,2/) || 

r ), 


( 3 ) 

( 4 ) 

( 5 ) 


These functions assign to each track angle a E R, ground speed p E R, and ver- 
tical speed r E R, respectively, the corresponding velocity vector for the ownship. 
Important properties of the functions z/ tr k? J'gs? and /y vs are: 

||^trk( a )(sc,y) || = || V 0 (x,y) || j (®) 

ll I/ gp(p)(*,»)ll=p. ( 7 ) 

^vs(r) 2 = r. (8) 


The constructions in this paper will restrict ground speed maneuvers to those 
where the ground speed p is positive. 


2.3 Conflict Detection Algorithm 

A conflict detection algorithm cd is a function that takes as parameters the relative 
position of the aircraft s and the velocity vectors v 0 , v;, and returns a Boolean 
value, i.e., True or False. 

Definition 1. The algorithm cd is correct if it holds that 

conflict?(s , v 0 — Vi) => cd( s, v G , Vi). 

It is cd is complete if it holds that 

cd(s, v 0 , Vj) =*> conflict?(s, v G — v,). 

In other words, a conflict detection algorithm is correct if it does not have missed 
alerts, i.e., it detects all conflicts, and it is complete if it does not have false alerts, 
i.e., it only detects actual conflicts. Note that a conflict detection algorithm cd T 
that always returns True is correct and an algorithm cd F that always returns False 
is complete. However, cd T is not complete and cd F is not correct. An example of a 
correct and complete conflict detection algorithm is cd3d (see Appendix in [3]). 
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2.4 Prevention Bands Algorithms 


Given a function v\ R i— > M 3 and a closed interval I = [ii, J 2 ], a prevention bands 
algorithm for v over I is a function with parameters s, v G , and v* that returns a 
finite, ordered sequence L v of elements of J, such that I\ G L v and I 2 G L v . Each 
consecutive pair A and B of entries in L v determines an open interval ( A , B), which 
is called a band (for the parameter represented by v). 

By abuse of notation, the syntax (A, B) G L v will denote that ( A,B ) is a band 
in I/*,, i.e., A and B are consecutive entries in L v . 

Definition 2. Given a function v: R h- ► K 3 and a closed interval I C R, a preven- 
tion bands algorithm for v over I is correct if for any band (A, J3) in L u and real 
numbers x, y G (A, B), it holds that 

conflict?(s, v(x) — V{) conflict?(s, is(y) — v^). 


The definition above states that all the points in a band computed by a correct 
prevention bands algorithm have the same conflict property, e.g., either all the points 
yield conflict-free maneuvers or all the points yield maneuvers that lead to conflict. 
Typically, v will be one of the functions */ tr k, z/ gs , or i/ V s defined in formulas (3), (4), 
and (5). The boundaries I\ and I 2 , of the interval /, are minimum and maximum 
values for the argument of v. For v — */ t rk? the standard values are I\ = 0 and 
I 2 = 27t. For v — Vg S and v — z/ V s, h and I 2 are typically the minimum and 
maximum ground or vertical speeds for the ownship, respectively. 

To each band (A, B) in L*,, a color is associated as follows: 


color(s, Vj, A, B) = 

A + B 

if cd(s,i/( — - — ), Vj) then 

Red 

else 


(9) 


Green 

endif 


where cd is any correct conflict detection algorithm, such as cd3d. 

The following theorem can be easily proven from Definition 2. 

Theorem 1. Given a function i/iRhR 3 and a closed interval I C R, a prevention 
bands algorithm for v is correct if and only if for any band (A, B ) in L v , 

color(s,Vi, A, B) = Red Vy G (A, B) : conflict?(s, is(y) — v*), and (10) 

color[s, Vj, A, B) = Green Vy G (A, B) : -iconflict?(s,i'(y) — v*). (11) 

The relation between a graphical display such as in Figure 1 and the output 
of a prevention bands algorithm can be illustrated by considering the track angle 
display, that is, where v = z/ tr k and I = [0,27 r]. A prevention bands algorithm for 
track angle will return a finite, ordered sequence L„ trk of track angles in the interval 
[0, 2n\. This sequence will contain both of the angles 0 and 2ir. If the algorithm is 
correct, then each consecutive pair, a and /?, of track angles in this sequence defines 
a band, i.e., an open interval (a,/?), with the property that either 
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Track Angle 


Track Angle 




• Midpoint angle in conflict 

• Midpoint angle not in conflict 

Figure 2. Relation between track angle prevention bands algorithm and graphical 
display 


1. all track angles between a and (3 result in conflict, or 

2. all track angles between a and (3 do not result in conflict. 

If the track angles between a and (3 all result in conflict, the region between a and (3 
is colored red. Otherwise, this region is colored green. The color of each such region 
is determined by conflict information at the midpoint This is illustrated by 

Figure 2. 

2.5 Proving Correctness of a Prevention Bands Algorithm 

This section provides a general strategy that can be followed to formally verify that 
a given prevention bands algorithm is correct. Subsequent sections will describe 
the use of this strategy in the formal verification of prevention bands algorithms for 
track angle, ground speed, and vertical speed. 

Recall that a prevention bands algorithm depends on a function v : R i— > R 3 , (e.g. 
v = */ trk ), and a closed interval I = [I i, J 2 ]. Thus, a real- valued argument x of the 
function v is understood as a parameter of the ownship’s velocity vector, and the 
value v(x) is the corresponding velocity vector for that parameter. The following 
theorem can be used to verify the correctness of a prevention bands algorithm for v 
over I. 

Theorem 2. Let L v be a finite sequence computed by a prevention bands algorithm 
for v over an interval I and let : R t— » R be a continuous function, implicitly 
parametrized by s and V{, such that 

1. Vtv characterizes conflict? in the following way: 

x ) < 1 <=> conflict?^ s, is(x) — Vi), and (12) 
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2. L v is 12,, -complete: For all real value x G /, 

12„(:r) = 1 x G L v , (13) 

then the algorithm that computes L u is correct. 

Proof. By Theorem 1, it suffices to prove that Formulas (10) and (11) hold. Let 

(A, B ) be a band in 

• Suppose that color(s, Vi, A, B) = Red and let y be a real number in the open 

interval (A, £?). Suppose, by reduction to absurdity, that -i conflict? (s,v(y) — 
Vi). By Hypothesis 1, 12„(y) > 1. However, by H)^potliesis 2, since (A, B) G L v 
and y is equal to neither A nor B, it follows that 12„(?/) > 1. By the definition 
of the function color given in Equation (9), it holds that conflict?(s , v(x)— v*), 
where x = Again by Hypothesis 1, 12„(x) < 1. Since 12„ is continuous, 

the intermediate value theorem implies that there exists some z between x and 
y such that Qjy(z) = 1. Since 2 is therefore in the interval (A, 5), A and B are 
consecutive in L„, and the algorithm computes all points where 12„ realizes a 
value of 1, this is a contradiction. 

• Similar reasoning can be used to show that if color (s, v;, A, B) — Green, then 
any y in (A, B) satisfies ~^conflict?(s, v(y) — vf). 

□ 


3 The Function ft 

Using Theorem 2 to verify that a prevention bands algorithm is correct for track 
angle, ground speed, or vertical speed maneuvers, i.e., for the functions r k, 
and v w s , will require finding three separate instantiations of the function f l v that 
satisfies all the hypotheses of the theorem. This section proposes the definition of a 
function 12 that can be used to define 12„ for any v\ Rh^R 3 , where some of these 
hypotheses can be discharged once and for all. 

Let 12: R 3 1 — > R 3 be a continuous function, implicitly parametrized by s (= 
s 0 — s^, that characterizes conflict? in the following way: 

12(v) < 1 conflict?^ s, v). (14) 

For any continuous function i/, a continuous function 12„ : R 1 — > R that satisfies 
Equation (12) can be defined as follows: 


f2„(x) = J2(^(x) - Vi). (15) 

Therefore, since functions v t rk? ^gs? and v vs are continuous, Formula (15) can be used 
to construct continuous functions 12„ trk , 12„ gs , and 12„ vs that satisfy Equation (12) in 
Theorem 2. 

Given such a function 12, the verification of correctness of a track angle, ground 
speed, and vertical speed prevention bands algorithms over an interval I can be 
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reduced to proving that L^, i.e., the sequence returned by each algorithm, is ft v - 
complete, i.e., it contains all x G I where the function f attains a value of 1. Since 
each of the algorithms will compute a sequence of values in a distinct way, a special 
proof of ^-completeness will be required for each algorithm that computes L v . The 
function ft will be of use in this step as well. Indeed, the function ft will be defined 
such that vectors v where fi(v) = 1 have particular forms. The proof that L v is 
^-complete, for v G {^trk? ^vs}> will be done by proving that x G L v if and only 
if the vector u(x) has one of these forms. 

The rest of this section concerns the definition of such a function ft. 


3.1 Cylindrical Distance 

Recall from Section 2.1 that the protected zone is a cylinder around the intruder 
aircraft that has half-height H and radius D. In order to define the function ft that 
satisfies Equation (14), a notion of cylindrical distance is needed. 

Definition 3. The cylindrical length of a vector w G R 3 is the quantity 


| w 1 1 C yi = max( 


w (»,y)ll |w a | 
D ’ H ’ 


Definition 4. The cylindrical distance between two vectors , wi and w 2? is the 
quantity ||wi - w 2 || cy /. 

Cylindrical distance is a metric on R 3 , in the sense of real analysis [5], and R 3 is a 
metric space with this metric. In particular, this means that the triangle inequality 
holds for any wq,wi,W2 G R 3 : 


II Wo - W 2 1 1 cyl < || Wo - Wi|| cy l + || Wl - W 2 1 1 C yl • (16) 

The key property of cylindrical distance, as it relates to loss of separation of aircraft, 
is stated in the following theorem. 

Theorem 3. Two aircraft are in loss of separation if and only if ||s|| C2/ j < 1, where , 
as in Section 1, s = s 0 — s* is the relative position vector of the aircraft. 


3.2 The Definition of ft 

By Theorem 3, the ownship and the intruder aircraft are in conflict if and only 
if there exists some t G [0, T] such that ||s + tv|| cy i < 1. Thus, for s such that 
1 1 s 1 1 cy i ^ 1, i.e., for s not on the boundary of the protected zone, the function fi(v) 
is defined as 

ft(v) = min ||s + £v|| cv i. (17) 

te[o,T\ 

Two important remarks on the definition of the function ft given by Formula (17) 
are in order. First, the function ft is well-defined since the quantity ||s + tv|| cy i 
actually attains a minimum as t ranges over the interval [0, T]. That is, there exists 
somer G [0, T] such that ||s+rv|| cy i < ||s+t v|| cy i for all t G [0, T]. Indeed, when the 
vectors s and v are fixed, the function d cy i : [0, T] i— ► R defined by d cy i(t) = \\s+t v|| cy i 
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Figure 3. Infinite many places where min tG [ 0 ,T] II s + t v|| cy i = 1 


is continuous, and every continuous function on a closed interval attains a minimum 
on that interval. The function d^i is continuous because it is the maximum of two 
functions, dhoriz and dvert , defined by 


dhoriz (t) — 
dyert (t) — 


II (s + t^)(x,y) 

D 


|(s + tv) z 

H 


both of which are continuous. 

Second, Formula (17) does not define when ||s|| = 1. If ||s|| cy i = 1, in which 
case s is on the boundary of the cylinder, then any v which points outward from 
the cylinder will satisfy min t€ [o,T] II s + t v ||cyl = 1- This is because the minimum 
is attained at t = 0 for any such v. This is illustrated in Figure 3 in the case 
where Hs^^H = D and |s z | < H. Therefore, if ||s|| cy i = 1, there is an infinite 
number of vectors v such that min^^x] ||s + 1 v|| cy i = 1. Defining ft in this case 
using Formula (17) would make the proof that L v is fi^-complete impossible, as by 
definition of a prevention bands algorithm the sequence L v is finite. 

While this shows that some care is needed when defining ft on the boundary of 
the cylinder, it is possible to define £2 so that 


1. it satisfies Equation (12), 


2. it is continuous, and 

3. it is suitable for showing that a sequence L v is f^-complete. 


f2(v) = { 


S(x,y) ' V( x ,y) d 1 1 S(sc, 3 /) II D and |s*| < H 

s z v z if ||s(x,y) || < D and \s z \ = H 

max(s (Xjy) • V( Xl y), s z v z ) if Hs^H = D and |s z | = H 

[min t(E [o ? x] ||s + 1 v|| cy i otherwise, i.e., if ||s|| cy i ^ 1 

The following theorem is a basic exercise in vector algebra. 


Theorem 4. conflict?^ s, v) <=>► £2(v) < 1. 


( 18 ) 
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The formal proof that Q is continuous requires more work and it is explained in 
the rest of this section. Section 4 provides a classification theorem for fi, which is 
used then used in sections 5-7 to show that the sequences L v , for v £ {u t r k, z'gs, ^Vs}, 
computed by the proposed prevention bands algorithms, are f^-complete. 

3.3 Continuity of Q 

Since the if-statements in the definition of do not depend on v, $1 is continuous 
if and only if each of the quantities S( XiV ) • V( Xj2/ ), s z v z , max(s( X)2/ ) • s z v z ), and 

min t6 [ 0) r] ||s+t v l|cyl are continuous functions of v. Only one of these four statements 
is nontrivial, that the minimum min t€ [ 0) r] ||s + t v|| cy i is continuous in v. This can 
be proved with standard techniques from real analysis [5]. In fact, it follows from a 
generalization of the Heine-Cantor theorem, which says that a continuous function 
on a closed interval is uniformly continuous. In particular, the following theorem 
has been proved. 

Theorem 5. If A and B are real numbers with A < B and f: [A, B] x R n i— ► R 
is continuous , then the function g: R n R defined by g{y) = min tE [^ 5 ] /(£, v) is 
continuous . 

The formal proof of this theorem required the development of a vector analysis 
library in PVS, which is now part of the PVS NASA Libraries. 3 

The continuity of fi is a direct consequence of Theorem 5, when A = 0, B = T, 
and /(£,v) = ||s + tv|| cy i. 

Theorem 6. The function is continuous. 

The purpose for constructing the function was to provide a definition for 
\ R y R for every function The following corollaries follow directly 

from theorems 4 and 6. 

Corollary 7. For any v\ R i— > R 3 , the function f l v , defined in Equation (15), 
satisfies $lv(x) < 1 if and only if conflict?(s , is(x) — v*). 

Corollary 8. If is: R R 3 is continuous, then the function is continuous. 
Since functions /y tr k? ^gs? and is YS are continuous, corollaries 7 and 8 hold for 

^Z/trk’ aI1 d ^ ^Vs * 

4 Classification of Critical Vectors 

To verify the correctness of a prevention bands algorithm for is over a closed inter- 
val /, it must be shown that the computed sequence L v is finite and includes all 
points x £ I such that Q(z/(x) — v^) = 1. Vectors v that satisfy f2(v) = 1 are called 
critical vectors. This section shows that critical vectors can be analytically classified 
in a finite way. 

3 The PVS NASA Libraries are available from http://shemesh.larc.nasa.gov/fm/ftp/larc/ 
PVS-library/pvslib . html. 
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Figure 5. Case r = T, |s z + T v z | = iJ, and ||(s + T v)( x?2/ )|| < D 

Consider a relative position vector s that satisfies ||s|| cy i ^ 1 and a critical vector 
v. Since f2(v) = 1, it holds that min^^r] \\&+t v|| cy i = 1. This minimum is attained 
at a real number r G [0, T]. Since ||s|| cy i ^ 1, it follows that r ^ 0. Thus, either 
r = T or 0 < r < T. If it holds that v z ^ 0, 0 < r < T, |s z + r v z | = H : and 
|| (s + tv) (x,y) || < D, then it can be shown that min iE [ 0 ^] ||s + f v|| cy i < 1. That 
is, there is a time near r where the aircraft will be in loss of separation. This is 
illustrated in Figure 4. 

If the same conditions hold, but with v z = 0, then r is not unique, and it can 
also be shown that a particular r can be chosen so that 0 < r < T, |s z + r v z | = H, 
and ||(s + rv) (a . i2/) || = D. 

Since, 1 = J7(v) = ||s + rv|| cy i = max( IK S+7 '^)(».»)I1 ^ l Sz4 ^ Vg l ), this leaves the 
following cases. 

1. Case r = T, |s 2 + Tv z \ = H, and ||(s + T v)( XiJ/ )|| < D. 

2. Case r = T, |s z + T v z | < H , and ||(s + T || = D. 

3. Case |s z + rv z | = H and ||(s + rvjy || = D. 

4. Case 0 < r < T, |s z + r v z | < i7, and ||(s + rv)( a:?2/ )|| = D. 

These four cases are illustrated in figures 5, 6, 7, and 8, respectively. 

These cases will be formalized using four predicates: verticaLcase? (Section 4.1), 
circle_case_2D? (Section 4.2), circle.case^SD? (Section 4.3), and line.case? (Sec- 
tion 4.4). It will be shown in Section 4.5 that these four predicates are sufficient to 
classify solutions to the equation fi(v) = 1, even in the case where ||s|| cy i = 1. 
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Figure 6. Case r = T, \s z + Tv z \ < H, and ||(s + T v)( X 2/ )|| = D 


T 




S 

9T 


2H 


D 


Figure 7. Case \s z + rv z \ = H , and ||(s + r v)( a . )2/ )|| = D 



Figure 8. Case 0 < r < T, |s z + r v z | < H , and ||(s + r v)(a?,i/) II — 
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4.1 Vertical Case 


Consider the case 1 where r = T, |s Z +T v z \ = 77, and ||(s + T v) (a- ty ) || < 77, which is 
illustrated by Figure 5. In this case, if (s z + T v z ) \ z > 0, it can be formally proven 
that there is some t E (0, T) such that ||s + fv|| cy i < 1, which is a contradiction. 
This motivates the definition of the following predicate on s z , v z , a real number £, 
and an integer i = ±1. 


verticaLcase ?( s z , v z ,7, t) = \s z + t v z \ = 77 and 

L (s z + <v 2 )v z > 0. 


(19) 


Intuitively, the number i can be thought of as direction, with i — —\ corresponding 
to entry into the protected zone at time 7, and t = 1 corresponding to exit. 

Case 1 corresponds to verticaLcase?(s z ,v z ,T,—l). The condition 

||(s + Tv) ( * iy) || < D 

is explicitly not included in this predicate, because the more general form is useful 
when classifying other types of critical vectors. It is important to note that if 
|s z + T \ z \ = 17, then verticaLcase?^ s z , v z , T, t) holds for some i = ±1. 

Vectors v that satisfy the predicate vertical-case? are called vertical solutions . 

4.2 Circle Case 2D 

Consider the case 2 where r = T, |s Z +T V 2 | < 71, and ||(s + T , v)( a . j2/ )|| = 7), which is 
illustrated by Figure 6. If (s ^ x y ^+T V( x ^)-V( x , y ) > 0? then it can be formally proven 
that there is some t E (0, T) such that ||s + £v|| cy i < 1, which is a contradiction. 
This motivates the definition of the following predicate on s, v, a real number t, 
and l = ±1. 


( 20 ) 


circle-case-2D?(s,v,t,i) = ||(s + t v)( x ,y) II — D and 

1 ( s (rr,2/) +^ v (x,2/)) * v (x,y) — 0 * 

Case 2 corresponds to circle-case-2D?(s, v, T, —1). The condition 

|s z +Tv z | < H 

is not included in this predicate, because it will be used, along with verticaLcase ?, 
to classify other types of critical vectors. As for the predicate verticaLcase? above, 
an important property of circle-caseJ2D? is that ||(s + 1 v)( x?2/ ) || = D implies that 
circle-case-2D?(s , v, t, t) holds for some t = ±1. 

Vectors v that satisfy the predicate circle-case-2D? are called 2D circle solutions. 


4.3 Circle Case 3D 

Consider the case 3 where |s z + r v z | = H and ||(s + r v) (o?,j/) || = D, which is illus- 
trated by Figure 7. It follows from the definitions of verticaLcase? and circle-case-2D? 
that there exists ^i, i<i, each equal to —1 or 1, such that verticaLcase ?(s z , v z , r, ^i) and 
circle-case-2D?{s,\ , r, ^)- If T is positive and i\ = 12 , it can be proven that either 
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Figure 9. Line case: v is tangent to the circle 


vertical.case?(s z ,v z , T, —1) or f2(v) < 1. In classifying the solutions to the equation 
f2(v) = 1, the case where vertical.case?(s z , v 2 , T, — 1) is true is handled separately. 
Since it holds that fi(v) = 1, a requirement for the case where \s z + rv z \ = H and 
|| (s + rv)y || — D is therefore that i\ — —12. This motivates the definition of the 
following predicate. Similar to the predicate circle.case.2D ?, this predicate depends 
on s, v, l = ±1, and a real number t. 


circle.case.3D?(s , v, £, l) = t > 0 and 

circle.case.2D?( s, v, f , i) and (21) 

vertical.case?(s z , v z , £, — *,). 

Vectors v that satisfy the predicate circle.case.3D? are called 3D circle solutions . 

4.4 Line Case 

Consider the case 4 where 0 < r < T, |s z + r v z | < #, and ||(s + rv)( x ^\\ = D , 
which is illustrated by Figure 8. As Figure 9 indicates, the fact that r satisfies 
min^o'r] ||s + t v|| cy i = ||s + r v|| cy i can be used to show that the trajectory from 
S( x?2/ ) along V( Xjy ) is tangent to the circle of radius D around the origin. In this 
figure, the vector v 1 is the vector (v y , —v x ,v z ). 

It is immediately clear from Figure 9 that the angle a can be no greater than 
tt/ 2. Since = ||s( a ., y )||||v( a;>y )|| cosa > 0, it follows that s (x#y ) -v^ < 0. 

In addition, cos 8 = i . D h . Thus, 

s (x,y) ' V± (x,y) — ll s (x,2/)|||| v (x,2/)|| cos .^ 

= ^ll v (*,y)ll- 

This construction depends on a vector v^) that is tangent to the right side 
of the circle. The analogous construction for a vector V( x ,y) that is tangent to the 
left side of the circle would use — v 1 in the place of the vector v -1 . This motivates 
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the definition of the following predicate, which depends on s, v, and a parameter £, 
which is equal to either —1 for a right-tangent, or 1 for a left-tangent. 

line-case?( s, v, s) = s^ xy ^ • V( x < 0 and 

~ S ( S (x, 2 /) ' V (x,y)) = ^ll v (x, 2 /) II* 

Vectors v that satisfy the predicate line_case? are called line solutions. 

4.5 The Classification Theorem 

Critical vectors can be classified according to the following theorem. 

Theorem 9. //fi(v) = 1, then one of the following conditions holds. 

1. || s (a:. 2 /)|| > D and line_case?( s, v, t) holds for some t = ±1. 

2. \s z + T \ z \ < H and circle_case-2D?(s , v, T, —1) 

3. There exists a real number t > 0 such circle_case_3D?(s , v, £, l) holds for some 
i = zbl. 

4- ll s (x, 2 /) + T v^)!! < D and verticaLcase?(s z , v z , T, — 1) 

This theorem can be used to show that a sequence L v computed by a prevention 
bands algorithm is f^-complete by proving that L v contains all the vectors that have 
one of the four forms. It follows from this that L v contains all points x E I such 
that £l u (x) = 1. When applying this technique to the case of track angle, ground 
speed, and vertical speed bands, it is still possible to find a few special cases where 
there are infinitely many points in I at which attains a value of 1. These cases 
are handled separately by defining special versions of that avoid this problem. 

Section 4.6 defines functions 0# and &d that compute the times where the air- 
craft lose vertical separation and horizontal separation, respectively, and illustrates 
the relation between these times and the four cases in the classification theorem 
(Theorem 9). The functions Qjj and 0# will be used to define prevention bands al- 
gorithms for track angle, ground speed, and vertical speed maneuvers in sections 5, 6, 
and 7, respectively. 

4.6 Entry and Exit Times 

In Figure 5, the time t at which the trajectory from s along v enters the protected 
zone vertically, i.e., where (s+fv) 2 = ±i7, is precisely T. In Figure 6, the trajectory 
first touches the circle of radius D around the origin at time T. In Figure 7, the time 
at which this trajectory enters the circle is precisely the time where its ^-component 
exits the interval [—H,H]. In Figure 8, the trajectory is tangent to the circle, so 
the time where the trajectory first touches the circle is equal to the time where the 
trajectory last touches the circle. 

All this indicates that there are relationships between the predicates defined in 
sections 4.1 to 4.4 and the following quantities: 
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• the times where the ^-component of the trajectory from s along v enters and 

exits the interval and 

• the times where the 2-dimensional trajectory from S( x , y ) along V( x enters 
and exits the circle of radius D around the origin. 


This section gives precise definitions of mathematical functions that compute these 
times and gives a variant of Theorem 9 that uses them. 

The times where the z- component of the trajectory from s along v enters and 
exits the interval [— H, H] are real numbers t such that |s z + tv z \ = H. This 
motivates the definition of the following function. 




l sign(y z ) H — s z 

V z 


for v z ± 0, 


(24) 


where the number l is ±1. It is easy to check that |s z + ©#(s z , v z , t) v z | = H. In 
addition, 

©ff(s*,v z ,-l) < ©#(s z ,v z ,l). (25) 

Intuitively, the times ©#(s z , v z , — 1) and ©#(s z , v z , 1) are the times at which the 
z-component of the trajectory from s along v enters and exits the interval [— if, if], 
respectively. It can be proved from definitions that t (s z + ©#(s z , v z , l) v z ) v z > 0 
for v z 7 ^ 0 and l = ±1. 


Lemma 10. If v z ^ 0, then |(s + fv) z | = if if and only if t = ©#(s z , v z , — 1) or 
t = @ H { s z ,v z ,1). 

Corollary 11. f/v z ^ 0 and l = ±1, then verticaLcase?(s z , v z , f, l) if and only if 
t = ©#(s z , v z , i) . 

Lemma 12. //v z ^ 0, then |(s + tv )z\ < if if and only if @h( s z ,v z ,— 1) < t < 
©h(s 2 ,v 2 ,1). 


A similar construction can be used to find the times at which the trajectory 
from &(x, y ) along ^ enters and exits the circle of radius D around the origin. 
These times are real numbers t such that ||(s + tv)( x ^)|| 2 = D 2 . This is a quadratic 
equation in t: 


v (x,t/)|| f + 2 (S(a; }2/ ) * V(z,y)) t + (lls^y) || D ) — 0. (26) 


The roots of tins quadratic equation are therefore given by the following function, 
where l = ±1. 


s (x,2/) ' v (x,y) + 1 y ( s (x,y ) * v (x,y )) 2 || v (x,t/) || 2 ( ll s (x,i/) || 2 D 2 ) 

©d(s,v, t ) = Y U2 • (27) 

ll V 0r,2/) II 

For this function to return a real number, it is required that the 2-dimensional 
vector V( x be nonzero and that discriminant of the quadratic equation (26) is 
nonnegative. That is, A(s, v) > 0, where 

A(s, v) = (s^ y'j ■ v {Xt y )) 2 - ||v (l!2/) || 2 (||s (Xi2/) || 2 - D 2 ). (28) 
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The discriminant of the polynomial is given by 4A(s, v). If A(s,v) > 0, then 

^ \! ( s {x,y) ' v (a:, 2 /)) 2 — II v (x,y) || 2 ( ll s (z,y) IP — D 2 ) 

0 D (s, V, 1) - 0 D (s, V, -1) = n jj2 • 

ll V (tf,2/) II 

Thus, @£)(s,v,— 1) < 0£>(s, v, 1), and these two numbers are equal if and only if 
there is only one solution to the quadratic equation (26), which is equivalent to the 
statement that the line with direction v that passes through s is tangent to the 
circle of radius D around the origin. It has been formally proved that t(s^ xy ) + 

© d ( s , v, l) V( Xi y)) ■ v (x, y ) > 0 for A(s, v) > 0, v^ y) / 0, and t = ±1. 

Lemma 13. //v^) / 0, then ||(s + 1 = D if and only if A(s,v) > 0 and 

t — 0£)(s, v, — 1) or t = 0£>(s, v, 1). 

Corollary 14. If A(s,v) > 0 and V( X}2/ ) ^ 0, then circle-case-2D?(s,v,t, t) if and 
only ift — 0£>(s, v, l). 

Lemma 15. Ifv^ xy ) ^ 0, then ||(s + 1 v)( X)2/ )|| < D if and only if A(s,v) > 0 and 
0d( s , v, — 1) < t < 0£)(s, v, 1). 

The next result follows directly from corollaries 11 and 14. 

Corollary 16. If A(s, v) > 0, v^) / 0, and\ z / 0, then circle_case_3D?(s, v, £, l) 
if and only if t > 0 and the following string of equalities holds: 

t = ©£>( s, v, l) = @ H ( s 2 , v 2 , -l). 

Finally, the predicate defined in Section 4.4, line-case?, can also be be written in 
terms of the function 0£>. It is clear from definitions that 0£>(s, v, —1) = ©d(s, v, 1) 
is equivalent to the statement that the 2 dimensional trajectory from along 

y \ is tangent to the circle of radius D around the origin. This statement is made 
precise in the following corollary, which can be formally proven. 

Corollary 17. If s^ xy ^ • V( Xi y) < 0 an d v (x,y) 7 ^ 0? then line_case?( s, v, — 1) or 
line_case?( s, v, 1) holds if and only if A(s, v) > 0 and ©£>( s, v, —1) = ©d(s, v, 1). 

It follows from algebraic manipulations that if Hs^ y )|| > D and fl(v) = 1, then 

s (x,y) * v (x,y) ^ 0 - 

5 Track Angle Prevention Bands 

This section presents a formally verified algorithm, namely track_bands, for track 
angle prevention bands over the closed interval [0, 27 t], for the function i/ t r k : IK l 3 , 
defined by Equation (3) in Section 2.2. Given vectors s, v 0 , and v*, this algorithm 
computes track angle maneuvers, i.e., vectors v^ that satisfy ||v^( :c?2/ )|| = ||v 0 ( Xj2/ )|| 
and v' oz = Voz- 

The definition of track_bands depends on the algorithms track_line, track_circle_2D, 
and track_circle_3D, which compute track angle maneuvers that are line solutions, 
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2D circle solutions, and 3D circle solutions, respectively. These three algorithms 
are proved to be complete , i.e., they compute all vectors that satisfy their respec- 
tive predicate, and correct , i.e., only vectors that satisfy their respective predicate 
are computed. The correctness of track_bands depends on the completeness of 
track_line, track_circle_3D, and track_circle_2D. 


5.1 A Special Version of fl„ trk 

For v — ^trk? the function defined in Equation (15) of Section 3, characterizes 
conflict in the sense of Corollary 7 (Section 3.3). In this section, v will refer ex- 
clusively to the track angle function i/ t rk- To prove the correctness of a track angle 
prevention bands algorithm, it must be shown that the finite sequence L v returned 
by the algorithm contains all track angles a £ [0, 2n\ such that ^(o) = 1. An 
obvious requirement is that there be only finitely many track angles in the interval 
[0, 2n] for which this equation holds. As it turns out, there are several special cases 
where this equation has infinitely many solutions for track angles a £ [0, 2tt] . Thus, 
a variant of namely must be defined for these special cases. 

Suppose that s, v c , and v, satisfy s (x . J/) = T v j(x?/) , ||v o(xy) || 2 = and 
|s z + T \ z \ < i7, where v = v 0 — v*. In this case, 


s (x,y) + T V {Xiy) \\ = || T Vi (x,y) + T (v 0 ( x ,y) ~ v *(a:,?/))|| 

— || T V 0 ( x ,y) || 

— T\\v 0 ( Xt y) || 

= D. 


(29) 


In addition, if a £ [0,27 r] is any track angle, then |fytrk(^)(x,^) II = II v o(rr.t/) II ? an d 
therefore this equality hold if v G is replaced with the vector ^trk(^)- If follows 
immediately that for any a, A(s, z/ tr k(a) — v^) > 0. Lenmia 13 in Section 4.6 implies 
that T is equal to ©£>(s, ^trk(^) — v^l) for some t = ±1. If Hs^^H > 1, there are 
infinitely many track angles a such that T = 0n(s, ^trk(o) — v z , — 1), in winch case 
Lemma 15 in Section 4.6 implies that the minimum minter ||s + t (^trk(o^) — v*) || cy i is 
attained at t = T. Thus, if Hs^ ^H > 1, then the function f2*,(a) = fi(^trk(^) — v^) 
intersects the line at 1 at infinitely many points between 0 and 27 r. This special case 
is specified by the following predicate and illustrated in Figure 10. 

track— Spc .^(s, Vq, , £) — S ( x ,y) ^Vi(x,y) a nd 

2 _ D 2 (30) 

|| v o(x,y)|| — rj-^2 ‘ 


An appropriate replacement £2* rA . for £L U in tills case would have to satisfy the 
following two properties. 

ft trk ( a ) < 1 <=>* fti/(«) < 1- 

ft trk ( a ) — I ^ ^ ft^( a ) — I* 

In addition, the function should allow only finitely many solutions to the 
equation Q* rk (a) = 1 for a £ [0, 2n\. If trackspc?(s,v 0 ,Vi,T) holds as above, then 
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Figure 10. A graph of f^(a) = fi^trk^) — v i) 

the track angles a such that T = ©£>(s, u tr k(o:) — Vi, — 1) are precisely those angles 
a such that ^(a) > 1, and the angles a such that T = ©£>(s, ^trk(^) — Vi, 1) are 
precisely those angles such that < 1. Thus, it is easy to see that Q* rk (a) = 1 

should imply that the following two equalities hold. 

T = ©d( s, i/trk(a) - Vi, -1) = ©d(s, u t rk(«) - Vi, 1). 

By Corollary 14 and the definition of the predicate circle.case.2D ?, it follows that 

( S (x,y) H" T(/y tr k( a ) — Vi) (x?y) ) • (^trk( a ) — Vi)^^ = 0. 

Replacing s^ x y ^ with T\i^ xy ^ and factoring out T, this is equivalent to the statement 
that 

0 ^trk(^) (x,y) * (^trk(^) ^i)(x,y) 

— ||^trk( a )(a\?/) || — ^trk (°0 (a:,t/) ' ' v i(x,y) 

= || Vo(a:,y) || ^trk (^)(x,t/) ‘ ^i(x,y) 

, V 

— j-^2 ^trk ( a )(a;,2/) * v z( x ^). 

This motivates the following definition of the function S2* rfc : R » R 3 , which depends 
on the explicit parameters v 0 , Vi, t G R, and = ±1. 

D 2 

^tr/e(Vo? Vi, t, i) (q) = i (z^trk (^)(a:,t/) * Vq^y) ^2 ) (^1) 

Identical reasoning to that above can be used to prove that if track.spc?(s, v 0 , Vi, t) 
holds and fl* rfc (v 0 , Vi, t, i,)(a) = 1, then the following equalities hold. 

t = ©d(s, I/trk(«) - Vi, -1) = ©d(s, I/ t rk(«) “ Vi, 1). 

In particular, the following theorem can be formally proved using Corollary 17 in 
Section 4.6. 

Theorem 18. If track.spc?(s,v 0 ,Vi,t ) holds and Q* rk (v 0 ,Vi,t, i)(a) = 1, then 
line.case?(s , vtrk( a ) ~~ v i, £) /rn/ds for some £ = ±1. 
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When proving the correctness of the track angle prevention bands algorithm 
presented in the next sections, the function f l* rk will be used in the place of when 
track-spc?(s,v 0 ,Vi,T) holds. Thus, it is necessary to prove that Q* rk characterizes 
conflict in some special cases. 

Theorem 19. If track_spc?(s,v 0 ,Vi,t), then the equivalence 

^trk( v o, v*,i,6)(a) < 1 conflict?(s,v trk (a) -v^ 


holds in each of the following three cases. 

1- ||s (a . iy )|| > D, \ oz ± \ iz , t = 0j/(s*, v oz - Vi*,i), and 0 < t < T. 

2. ||s (a . iy) || > D, \ oz ± Vi*, l = 1, t = @h(Sz, v oz ~ 1), and t = T. 

3. l = 1, t = T, and |s 2 + T (v oz - v**)| < H. 

5.2 Line Solutions For Track Angle Maneuvers 

The algorithm track_line, defined in this section, takes as parameters s, v G , v 2 , £, 
£ = ±1, and l = ± 1. It returns a vector v' 0 G R 3 that is either the zero vector or is 
equal to z/trk(a) for some a G [0, 2tt) such that the relative velocity vector v' = v' 0 — v ? ; 
is tangent to the circle, i.e., it satisfies line_case?( s, v',£). The main theorem in this 
section states that track_line is correct and complete for line solutions that are 
track angle maneuvers. 

The definition of track_line requires the definition an auxiliary function, namely 
tangent _line, that takes as parameter a relative position vector sgK 3 such that 
||s( rr?2/ )|| > D and a number s = ±1, and returns a vector in R 3 that is tangent to 
the protected zone. 


tangent_line(s, s) = 
if lls^H = D then 
£ s 1 - 
else 

let d= ||s (X)2/) || 2 in 


,D 2 eDsfd^W ± 

— i — s 


endif 


(32) 


The proofs of the following lemmas rely on standard vector algebra. 

Lemma 20. If Hs^ ^H > D and £ = ±1, then line-case?( s, tangent_line(s, £), s) 
holds. 

Lemma 21. If ||s( X}2/ )|| > D , then line_case?(s, v, e) holds if and only if there exists 
k > 0 such that 

V( x ,y) = k tangent.line(s,e)^ xy y 
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If w' Q € M 3 is a track angle maneuver for the ownship such that line_case?( s, V Q — 
Vi, s :) holds, then it holds that 

II Vo(i,2/) IP = \\ k tan g ent - line ( s ) £ )(x,y) + Vi( Ij2/ )|| 2 . (33) 

Equation (33) has the form ||v 0 ( a;;2/ )|| 2 = ||fc u + vq^^H 2 , where u G R 2 . Since it 
will be necessary in later sections to solve similar equations of this form, a function 
is needed that explicitly solves this equation for k G R. 

It follows from the equation ||v 0 ( X) y)|| 2 = \\k u + Vi( x , y ) || 2 that 

0=(ku + v i(x>y) ) ■ (k u + v i(Xty) ) - ||v o(;C)2/) || 2 ^ 

= ||u|| 2 A; 2 + (2 v i(X)J ,) • u)fc + (||v i(lj2/) || 2 - ||v o(a . 5j/) || 2 ). 

This is a quadratic equation in k. If / = ±1, then ~ ft+t ^ 2 ~ — is a root of this 
equation, where 

a = ||u|| 2 , 

b 2 Vi^ X y^ • u, (35) 

c ~ II w i{x,y) If — || v o(x,7/) || • 

Thus, if b 2 — 4 ac > 0 and k = [ s nonnegative, then the unique vector 

v'o such that v' oz = v oz and v' (a . jy) = k ^ y) + v i{XyV) satisfies both |K (a . ?2/) || = 
ll v o(x,i/)ll an d Hne_case?( s,v' Q — Vi,e). This motivates the definition of the function 
track_only_line, which returns a real number. 


track_only_line(u, v G , v*, t) = 
let 

a = ||u|| 2 , 

b = 2 Vi( x<y ) ■ u, 

c= l| v i(a:,y)ll — II v o(x,j/) II 

in 

if b 2 — 4ac > 0 then 

—b + L\/b 2 — 4 ac 
2 a 

else 

0 

endif 


(36) 


The next lemma states that the algorithm track_only_line computes solutions 
for k to the equation \' 0 ( x , y ) = k u + v^ x<y) , where ||v£( XiJ ,)|| = ||v o(X)?/ )||. 

Lemma 22. If u / 0, then ||v'( x>3/ )|| = ||' v 0 ( x ,y) II and k u = v' 0 ( x>y ) - Vi( x , y ) if and 
only if 

k= track-only_line(u,v 0 ,Vi, l), 

for some t = =tl. 
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Using track_only_line, the algorithm track_line, which computes track angle 
maneuvers G R 3 that satisfy Zme_case?(s, v' Q — for £ = ±1, can be defined 
as follows. 


track_line(s, v 0 , v 2 -, e, t) = 

let 

k = track_only_line(tangent_line(s, v 0 , v^, t ), 

= (fc tangent_line(s,£)( x y) + with [2 4 - v 02 ] 

in 

if fc > 0 then 
v' 

v o 

else 

0 

endif 


(37) 


The correctness and completeness of track_line follow from its definition and 
Lemma 22. 


Theorem 23 (Correctness and completeness of track_line). If Hs^ ^H > D and 
v'o(x,y) 7 ^ 0, then ll v o(x, 2 /)|| = II Vo (z, 2 /) II > v oz = v oz, and line_case?(s, v' Q - v*, e) holds 
if and only if 


v' Q = track-line(s, v G , v*, s, l), 


for some l = ±1. 


5.3 2D Circle Solutions For Track Angle Maneuvers 

The algorithm track_circle_2D, defined in this section, takes as parameters s, v Q , 
Vi, t, l = ±1, and e = ±1. It returns a vector v' Q G R 3 that is either the zero vector 
or is equal to z/ tr k(u) for some a G [0, 2n) such that the relative velocity vector 
v f = v' 0 — Vi satisfies circle-case.2D?(s,v',t,i). The main theorems in this section 
state that track_circle_2D is correct and complete for 2D circle solutions that are 
track angle maneuvers. 

If circle-case-2D?( s, v', t, t) holds, then the vector must satisfy \\s(x,y)+tv' || 2 

D 2 . If ||v^( a . ?2/ )|| = ||v 0 ( a . <y )||, then algebraic manipulations can be used to show that 

|| s (a;,2/) d“ f V ( x ,2/)|| = || s (a:,2/)|| “ft* || v o(x,?/) 1 1 d" (s( x ,y) ~ ^' v i(x,y)) * v (x,y) 

,2 M 1 1 2 

^ Il v drr,2/)|| • 

Thus, if t > 0, then 

(S(x,y) “ ^ v 2 (x, 2 /)) * v ( x,y ) = ^ {D — 1 1 s (o : , 2 /) 1 1 — t ( II v o(x,y) If — II v i(x,y) || ))• 

This equation has the form u • v'^ = j, where u = ^ — tVi^ x y ^ and 

j = ~ H s (^y)ll ( ll v o(x,2/) II — ||v*(^)|| ))• 
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Since it will be necessary in later sections to solve similar equations of the form 
u • v| = /, a function is needed that explicitly solves this equation for V Q when 

II v o(cc,2/) II = II v o(a;,2/) || • 

Assuming u / 0 , Equation (1) yields 


v = 

(x,y) 


U 


(( U ' V L)) U+ ( U - v '^) u ) 


(*.») 


u 


r(ju + feu ), 


where k = u- 1 • v' . Lemma 22 in Section 5.2 can be used to prove that 

(*.») 


k 


track_only_line(u- L (Xi2/ ), v 0 , v ?: + 



U,i), 


for some i = ±1. 

It follows from this that for u ^ 0, the function track_only_dot, defined below, 
solves the equation u • (y' 0 (x, y ) - v i(Xi2/) ) = j for v', when ||v' (X)1/ )|| = ||v o(;E)J/) ||. 


track_only_dot (u, v 0 , v*, j, = 

let k = track_only_line(u J_ , v 0 , v* + 

j 


7 l2 U ’0 in 

l u (x,y)H 2 


(39) 


(tu 1 + Vi(x,y) + 


l u (x,y) II" 


u) with [z <— v oz ] 


Lemma 24. //u^O and \' 0 ( x , y ) , * 0, toen ||v' (Xi3/) || = ||v o(XiB) ||, = v 02 , and 

u • (v'o(x,y) - v i(x,y)) = j */ and 0^2/ «/ 

v(, = track_only_dot(u, v„,Vj, j, i), 


/or some t = ±1. 


The function track_only_dot is used to solve Equation (38) when v* =£ 0 and 
£ > 0. Using track_only_dot, the algorithm track_circle_2D, which computes 
track angle maneuvers V Q £ i? 3 that satisfy czVc/e_case_£D?(s, v^— v^, t, for l = ±1, 
can be defined as follows. 
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track_circle_2D(s, v G , v*, £, i , £) = 
let 

U = (s-iVi) (a . )3/) , 

J = 2i( D ll s (a:,j/) II — t ( II v o(a;,y) II — ll v *(a;,j/)ll )) 


m 


if u/0 then 
let 

v'o = track_only_dot (u, v 0 , v®, j, s) 
in 

if ^ (s + t (Vg — Vi)) > 0 then 


(40) 


else 

0 

endif 

else 

0 

endif 

The correctness and completeness of track_circle_2D follow from its definition 
and Lemma 24. 


Theorem 25 (Correctness of track_circle_2D). Ifv' 0 ( x ^ ^ 0 and 
v' Q = track.circle.2D(s,v 0 , Vi,£, t,e), 

then ||v^( a , )2/ )|| = IIVo^jH, V oz = \ oz , and circle-case.2D?(s,\ r 0 — v*,£, *,) holds. 

Theorem 26 (Completeness of track_circle_2D). // ||v' = ||v 0 ( X}2/ )|| ? v^ = 
v oz? and circle.case.2D?(s , v^ — v^, £, ^) holds, then either track.spc?(s , v 0 , Vj, £) ZioMs 
or 

v' Q = track-circle_2D(s,v 0 ,Vi,t, l,e) 

for some e = ±1. 


5.4 3D Circle Solutions For Track Angle Maneuvers 

Theorems 25 and 26 imply that the algorithm track_circle_2D can be used to 
compute vectors v' Q such that circle_case.2D?(s,v' 0 — v*,£, *,) holds, where t > 0. 
By the definition of the predicate circle.case.3D? in Section 4.3, this algorithm can 
be used to compute vectors v^ such that circle.case_3D?(s,v' 0 — Vi,©j^(s 2 ,v oz — 
Viz,—t),t) holds when ©i/(s 2 ,v 02 — Vi z ,—t) > 0. This motivates the definition of 
the algorithm track_circle_3D, which takes as a parameters s, v G , Vi, l = ±1, 
and £ = ±1. It returns a vector v' Q E M 3 that is either the zero vector or is equal 
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to ^ trk( a ) for some a E [0, 2n) such that the relative velocity vector v' = v' Q — v* 
satisfies circle_case_3D?( s, v', ©#(s z , v oz — v^ z , — t), l). 

track_circle_3D(s, v G , Vj, l,s) = 
if v oz = v iz then 
0 

else 

let t = &h(s z ,v oz ~ in 

if t > 0 then (41) 

track_circle_2D(s, v 0 , v^, t , s) 
else 
0 

endif 

endif 

The following theorems state that track_circle_3D is correct and complete for 
3D circle solutions that are track angle maneuvers. These properties follow from 
theorems 25 and 26, and properties of the function ©# presented in Section 4.6. 

Theorem 27 (Correctness of track_circle_3D). Ifv' 0 ( x ^ 7 ^ 0 and 

v' 0 = track_circle_3D(s, v 0 , v z , i, s), 

then ||v^ (Xi2/) || = ||v 0 ( XiJ ,)||, V oz = v C2 , and cirele.case.3D?(s,\' 0 - v», 0//(s 2 , v oz - 
v^,— holds. 

Theorem 28 (Completeness of track_circle_3D). If \\v' 0 ( x , y )\\ = \\v 0 ( x .y) II? v oz ~ 
\ oz , v oz 7 ^ Vi z , an d circle-case_3D?(s,v' 0 — Vi,@H(s z ,v oz — \i z ,—L),L) holds, then 
either track_spc?(s , v 0 , v$, ©#(s z , v oz — v* z , — ^))) holds or 

v' 0 = track-circle-3D(s,\ 0 ,Vi, l,s), 


for some s = ±1. 

5.5 A Prevention Bands Algorithm For Track Angle Maneuvers 

Using the functions defined in the previous section, the prevention bands algorithm 
trackJbands for the function i/ tr k: M 1 — » M 3 can be defined as follows, where V is 
a sequence of vectors, \V\ is its length, £ is a set of real numbers, and sort is a 
function that takes as parameter a set of real numbers and returns the sequence of 
elements in the set that is sorted by increasing order. 4 

4 For readability, the algorithm is written using pseudo-code including assignment and bounded 
loop constructions. The PVS development provides a functional version of this code. 
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track_bands(s, v 0 , v*) = 

Vg := track_circle_3D(s, v 0 , Vi, — 1, — 1); 

V\ := track_circle_3D(s, v 0 , Vi, — 1, 1); 

V 2 := track_circle_3D(s, v 0 , Vf, 1, — 1); 

V3 := track_circle_3D(s, v 0 , Vi, 1, 1); 
if ||s (a . iy )|| > D then 

V4 := track_circle_2D(s, v 0 , Vi,T, — 1, — 1); 

V5 := track_circle_2D(s, v 0 , Vi,T, — 1, 1); 

Vq := track_line(s, v 0 , v®, — 1, — 1); 

V 7 : = track_line(s,v G , Vi, -1,1); 

Vs : = track_line(s,v 0 ,Vi, 1,-1); 

Vg := track_line(s, v 0 , Vi, 1, 1); 
endif 

£ = {0,2 tt}; 

for i = 1 to \V\ do 

if V i(x, y ) / 0 then 

C := £ U {track(Vi)}; 
endif 
endf or 

^trk := sort(£); 

The finite, ordered sequence L^ trk returned by track.bands is computed using 
every possible instantiation of the parameters s and both of which can be ±1, in 
the functions track_line, track_circle_2D, and track_circle_3D. For each vector 
v' Q returned by one of these three algorithms for s, v G , and v* with the property 
that v' 0 ( x , y ) 7^ 0, the track angle of v' Q is an element of the sequence returned by 
track.bands . 

Theorem 29 (Correctness of track.bands). The track angle prevention bands al- 
gorithm track.bands is correct for u tr k over the interval [0, 2tt\. 

Proof. By Theorem 2 in Section 2.5, it suffices to find a continuous function : R 1— > 
R, parameterized by s, v 0 , and v*, that satisfies the following two properties. 

1. For all a G [0, 27t], 

fli/(a) < 1 conflict?(s, z/trk(^) ~ v*). 

2. For all a G [0, 27t], 

f2^(o) = 1 a G track.bands (s, v 0 , Vi). 
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In most cases, the function fij,, where v = */ tr k, defined in Equation (15) of Sec- 
tion 3, will suffice. However, in some special cases, the function f2* rfc , defined in 
Equation (31) of Section 5.1, will be used. The latter case is considered first. 

Suppose that track_spc?(s, v 0 , v$, £), where t > 0, and that one of the following 
conditions holds. 

1- ||S( X)W )|| > D, V oz ^ V iz , t = Qh(s z ,v oz - Viz, 0> and 0 < t < T. 

2. ||s( XiJ ,)|| > D, v oz v iz , i = l, t = 6fl(s z ,v 02 - v iz , 1), and t = T. 

3. L = l,t = T, and |s z +T ( v oz - v i2 )| < H. 

By Theorem 19 in Section 5.1, 

tttrk(vo, Vi,t,i)(a) < 1 «=>• conflict?(s,u tlk (a ) - Vj) 

holds for any a G R. Thus, all that is required to complete the proof in this special 
case is to prove that for all a G [0, 2n], f2£ rk (a ) = 1 implies 

a G track_bands(s, v G , v^. 

If £l* rk (a) = 1, then Theorem 18 implies that line-case ?(s, z'trk(a) — Vi,£), for some 
£ = ±1. By the completeness of the algorithm track_line (Theorem 23 in Sec- 
tion 5.2), if Hs^ ^H > D , then ^trk(^) is equal to track_line(s, v 0 , Vj, e, ^), for some 

l = ±1. Thus, a = track(i/ t rk(^)) is equal to track(track_line(s, v G , v*, s, c)), 

which, by definition, is an element of track_bands(s, v G , v*). If ||s( x?2/ )|| < D, then it 
must be true that the third condition holds: l = 1, t = T, and |s Z + T (v oz — v*z)| < 
H. In this case, it is easy to prove that for any a G R, conflict?(s , i/ tr k(aO — v*), anc i 
therefore rk (a ) < 1. This completes the proof in the case where one of the three 
conditions above holds. 

Now suppose that the second condition above holds, but where i — 1 is replaced 
with l = —1. That is, suppose that ||s( x?2/ )|| > D, \ oz ^ V { Z , t = ©i/(s z ,v oz — 
Vi z ,— 1), t = T, and trackspc?(s,v 0 ,Vi,T). Since ^trk(a)z = v oz for any a G R, 
Lemma 12 of Section 4.6 can be used to show that conflict?(s , z^trk(^) — v$) does not 
hold for any a G R. In this case, the correctness of the algorithm track_bands is 
trivial. 

The proof has now been reduced to the case where neither of the following 
conditions hold. 

1. v oz ^ Vi z and there exists t = ±1 such that trackspc?( s, v 0 , Vi, t) and 0 < t < 
T, where t = 0# (s z , v oz - v fe , *). 

2. trackspc ?(s, v G , v*, T) and \s z + T (v oz - Viz)\ < H. 

By Corollary 7 of Section 3.3, the function £7^, where v — r k, characterizes 
conflict. Suppose that a G [0, 2n\ and f2 z/ ( a ) = 1. Since fl u (a) = $2(z/ tr k(a0 — v*), 
Theorem 9 in Section 4.5 implies that one of the following conditions holds, where 
v = i/ t rk(«) - v*. 

• || s (a:. 2 /)ll ^ D and either line-case?{ s, v,£r), for some e = ±1. 
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• |s 2 + XV 2 | < H and circle_case_2D?(s, v,T, — 1). 

• There is some real number t > 0 such that circle-caseS D?(s, v, £, *,), for some 
l = ± 1 . 

• ll s (^,i/) +^ v (x.y)|| < ^ and verticaLcase?(s z ,v z ,T, —1). 

These cases are now considered individually. 

• Suppose first that Hs^^H > D and line-case?(s,is ti: k(a) — v^,£), for some 
s = ± 1. By completeness of track_line (Theorem 23), i/ tr k(<a) is equal to 
track_line(s,v 0 ,v;, £,*,), for some i = ±1. Thus, a = track(i/ t rk( <a )) is 
equal to track(track_line(s, v 0 , v^, £, *,)), which, by definition, is an element 
of track_bands(s, v 0 , v*). 

• Suppose that |s z + Tw z | < H and circle_case-2D?(s, — Vi,T, —1). By 

completeness of the algorithm track_circle_2D (Theorem 26), vtrk( a ) is equal 
to track_circle_2D(s, v 0 , Vj,£, £), for some i = ±1 and s — ±1. Thus, 

a = track(z/trk( a )) = track(track_circle_2D(s, v 0 , Vj, £, £, £)). Hence, a is 
an element of track_bands(s, v 0 , v*). 

• Suppose that there is a real number t > 0 such that circle-caseS D?( s, v, £, l), 
where l = ±1. Assume that v oz / \{ z . By completeness of track_circle_3D 
(Theorem 28), ^trk(^) — track_circle_3D(s, v 0 , v^, e) for some l = ±1 and 
e = ±1. Thus, as above, 

a = track(z/ t rk( a )) = track(track_circle_3D(s, v G , Vj, l, £)). 

Hence, a is an element of track_bands(s, v 0 , v 2 ;). The case where \ oz = 
can be equally discharged. 

• Finally, suppose that ||s( Xj2/ ) +T\^ xy > } || < D and verticaLcase?(s z ,v z ,T,—l). 
In this case, the fact that ^trk(^)z — v oz implies that conflict?^ s, ^trk( a ) — Vj) 
does not hold for any a G R. From there, the correctness of the algorithm 
track-bands is trivial. 
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6 Ground Speed Prevention Bands 

This section presents a formally verified algorithm, namely gs_bands, for ground 
speed prevention bands over an arbitrary interval [gsmin, gsmax] for the function 
v g S : R i— > R 3 , defined by Equation (4) in Section 2.2. The boundaries of the interval, 
gsmin and gsmax , represent (postitive) minimum and maximum ground speeds 
for the ownship aircraft, respectively. Given vectors s, v 0 , and v*, this algorithm 
computes ground speed maneuvers, i.e., vectors V Q that satisfy ^ 0 (x,y) — Vv 0 ( x ,y)i 
for some £ > 0, and v' oz = v oz . 

The definition of gs_bands depends on the algorithms gs_line, gs_circle_2D, 
and gs_circle_3D, which compute ground speed maneuvers that are line solutions, 
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2D circle solutions, and 3D circle solutions, respectively. These three algorithms are 
proved to be complete and correct for ground speed maneuvers that satisfy their 
respective predicate. The correctness of gsJbands depends on the completeness of 
gs_line, gs_circle_3D, and gs_circle_2D. 

If is a ground speed maneuver for the ownship, then there is some positive 
p G R such that is gs (p) = v^. Therefore, Vo( Xi y) = where £ = ^ and 

e>o. 

6.1 Line Solutions For Ground Speed Maneuvers 

The algorithm gs_line, defined in this section, takes as parameters s, v 0 , v*, f, and 
e = ±1. It returns a vector G R 3 that is either the zero vector or is equal to 
is g s{p) for some p G R such that the relative velocity vector v' = v' Q — v* is tangent 
to the circle, i.e., it satisfies line_case?( s,v',e). The main theorem in this section 
states that gs_line is correct and complete for line solutions that are ground speed 
maneuvers. 

Suppose lls^ ^H > D and that V Q is a vector in R 3 such that v f 0 ( Xi y) — ^o{ x ,y)- 
Suppose further that line-case?( s, v' 0 — v*, s) holds for some s = ±1. By Lemma 21 of 
Section 5.2, there is some k > 0 such that £\ 0 (x.y) — & tangent_line(s, £) + \i( x ,y)- 
This equation has the form 

?Vo( x ,y) = ku + Vi( Xt y), (43) 

where u G R 3 . Functions can be defined that explicitly solve this equation for k and 
L It is easily proved that 


( v i(x,2/) ’ u ) v o(a:,2/) ( v o(a;,t/) * u )' v i( X ,y) ~ ( v i(a: ? 2 /) * V o ( x,y )) u - 


Thus, if v 0 (x, y ) • u± 7^ 0, then 


v i(x,y) * V o {x,y) 
V o(x,y) * u± 
v »(x,y) • U 1 
Vo(x,y) " ^ 


(44) 

(45) 


This motivates the definition of the algorithms gs_line_k and gs_line_l, which 
solve Equation (43) for k and 1. 


gs_line_k(u, v G , Vj) ee 

if Vo( x ,y) * u- 1 ^ 0 then 

v i(x,j/) * V o ( x,y ) 

v 0 (*,y) • u 1 (46) 


else 

0 

endif 
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gs_line_l(u, 

if Vo(x,y) 

max | 


V G ,Vi) = 

• 7^ 0 then 

^ v »(^)- u± 0 \ 
\Vo(x,y)' U 1 ’ ) 


else 

0 


endif 


( 47 ) 


Lemma 30. If £ > 0 and either Vi( x , y ) * ^o(x.y) /0 or v o(z,?/) * u 1 7^ 0, then Equa- 
tion (43) holds if and only if k = gs_lineJk(\\, v 0 , Vj) and £ = gs_iine_l(u, v G , v*). 


Using gs_line_k and gs_line_l, the algorithm gs_line, which computes ground 
speed maneuvers V 0 G i? 3 that satisfy line_case?( s,v' 0 — Vi^e) for s = ±1, can be 
defined as follows. 


gs_line(s, v 0 , v^, s) = 
let 

u = tangent_line(s, £)( x , y ) 
k — gs.line _k(u, v G , v*) 

£ = gs_line_l(u, V Q , V ? ;) 

111 (48) 

if k > 0 then 

£v 0 ( x ,y) with [z<-v oz \ 
else 
0 

endif 

endif 

The correctness and completeness of gsJLine follow from its definition and 
Lemma 30. 

Theorem 31 (Correctness and completeness of gs_line). If ||s( Xj2/ )|| > D , v f 0 ( x , y ) 7^ 
0, and either Vi( x , y ) • ^o(x t y) 7^ 0 or v 0 (x,y) * tangent_line(s, £)^~ ( x y ) 7^ 0 ? then 
v' oz = w oz , ^o{ x , y ) — £ Vo( x ,y) f or some £ > 0, and line-case?( s, v£, — Vi,e) holds if 
and only if 

v' Q = gs.line(s,v 0 ,Vi,£). 

This theorem does not hold if Hs^^H > D, Vi( x , y ) • xy ) = 0, and v 0 ( x . y ) ' 

tangent_line(s, s )~*-( x i2/ ) = 0. This case has to be handled separately in the verifi- 
cation of correctness of the ground speed prevention bands algorithm. 
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6.2 2D Circle Solutions For Ground Speed Maneuvers 


The algorithm gs_circle_2D, defined in this section, takes as parameters s, v 0 , Vj, 
£, l = ±1, and £ = ±1. It returns a vector v' Q G M 3 such that is either the zero 
vector or is equal to ^ gs (p) for some p > 0 such that the relative velocity vector 
v = v' 0 — Vi satisfies circle.case.2D?( s, — v^,£, t). The main theorems in this 
section state that gs_circle_2D is correct and complete for 2D circle solution that 
are ground speed maneuvers. 


If circle_case-2D?( s, v G — Vi,£, t) holds, then the vector V 0 must satisfy 


S(x,y) T t (y 0 (x,y) ^ 2 (x, 2 /))|| D . 


If ^o{ x .y) — ^ v o(a;.y), then simple algebraic manipulation can be used to show that 
a £ 2 + b£ + c = 0, where 


a — i 1 1 v 0 , 

6 = 2t ( S t Vi)( x ,y) ’ V 0 ( K x,y)’> 

C= || (s — iVi) (;C)J/) || 2 — D 2 . 


This is a quadratic equation in £, wliich can be solved using the quadratic for- 
mula. Note that if represents a ground speed maneuver for the ownship, then 
l must be positive, since ^ = £w 0 ^ xy ). This motivates the following definition 
of the algorithm gs_circle_2D, which computes ground speed maneuvers G R 3 
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that satisfy circle_case_2D?(s , V Q — v^, t, *,) for l = ±1. 

gs_circle_2D(s, v 0 , v*, t, £, £) = 

let 

a = t 2 || v o ( i , j /)|| 2 
^ 2t (s t Vijfay) * Vo(x,y) 

C= \\(s-tVi ) {Xiy) \\ 2 -D 2 

if b 2 — 4 ac > 0 then 
let 

b 2 + £ Vb 2 — 4 ac 


in 


e = 


2 a 


in 


v' 0 = max(£, 0) v o(a . >y ) with [z *- v 02 ] 

if t (s + t (v' Q - Vi)) (XtV) ■ (v' Q - Vi) (x , tf) > o then 


(49) 


else 

0 

endif 


else 

0 

endif 


The correctness and completeness of gs_circle_2D follow from its definition and 
the correctness and completeness of the quadratic formula, which has been proved 
in PVS. 

Theorem 32 (Correctness of gs_circle_2D). Ifv 0 (x,y ) / 0 an d 

V Q = gs-circle_2D(s, v 0 , Vi,£, l, s), 

then circle_case_2D?(s , v^ — Vj,f, holds, v' oz = \ Q z , and v f 0 ( x ,y) = ^ v o( x ,y) f or some 

£> 0 . 

Theorem 33 (Completeness of gs_circle_2D). If Vo( x , y ) = £v 0 ( x ,y)> I > 0; V L ~ 
v oz , and circle-case_2D?(s,v' 0 — Vi,t, l) holds , then 

v' Q = gs-drcle_2D(s, v 0 , s), 

for some £ = ±1. 


6.3 3D Circle Solutions For Ground Speed Maneuvers 

Theorems 32 and 33 imply that the algorithm gs_circle_2D can be used to com- 
pute vectors v' Q such that circle_case_2D?(s , V 0 — v^, t , l) holds, where t > 0. By the 
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definition of the predicate circle_case_3D? in Section 4.3, this algorithm can be used 
to compute vectors v' Q such that circle_case_3D?( s, v' Q — v*, ©#(s z , v oz — Vj z , — l), l) 
holds when ©#(s 2 ,v oz — v* z , — l) > 0. This motivates the definition of the al- 
gorithm gs_circle_3D, which takes as a parameters s, v G , v^, and e. It re- 
turns a vector v' Q G M 3 such that the relative velocity vector v' = v' Q — Vi satisfies 
circle_case-3D?( s, v 7 , ©#(s z , v oz — Vz Z , — l), l). 

gs_circle_3D(s, v 0 , v^, £, £) = 
if v oz = v iz "then 

0 

else 

let 

t = ©tf (s z , V oz 0 

in (50) 

if t > 0 then 

gs_circle_2D(s, v G , v*, £, £, s) 

else 

0 

endif 

endif 

The following theorems state that gs_circle_3D is correct and complete for 3D 
circle solutions that are ground speed maneuvers. These properties follow from 
theorems 32 and 33, and properties of the function ©# presented in Section 4.6. 

Theorem 34 (Correctness of gs_circle_3D). Ifv' 0 ( x ^ 0 and 

v o = gs-circle-3D(s,v 0 ,Vi, l,s), 

then circle-case-3D?(s,v / 0 —Vi : Qii(sz,Voz—Viz' ) —t),L) holds , v' oz = v oz , (mdv r 0 ^ xy ^ — 
£ Y o(x,y ) f or some £ > 0. 

Theorem 35 (Completeness of gs_circle_3D). If v' 0 ( x ^ = £v 0 ( x , y ), £ > 0, v' oz = 
Voz, v oz 7 ^ Viz , an d circle-case-3D?(s,v r 0 — v^, ©#(s z , v oz — v^ z , —l), t) holds , then 

v' 0 = gs_circle_3D{s,v 0 ,Vi,L,e), 


for some £ = ± 1 . 

6.4 A Prevention Bands Algorithm For Ground Speed Maneuvers 

The prevention bands algorithm gs_bands for the function u gs : 1 h R 3 that com- 
putes a sorted sequence L Ugs is defined in a similar way to algorithm track_bands 
in Section 5.5. 
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gs_bands(s, v 0 , Vj) = 

Vo := gs_circle_3D(s, v 0 , Vj, -1, -1); 
Vi := gs_circle_3D(s, v G , Vj, -1, 1); 
V 2 := gs_circle_3D(s, v 0 , Vj, 1, -1); 
V 3 := gs_circle_3D(s, v 0 , Vj, 1, 1); 
if || 8 (*, y )|| > D then 


^4 

:= gs_circle_2D(s, v G , Vj, 

T, 

- 1 ,- 1 ) 

^5 

:= gs_circle_2D(s, v 0 , Vj, 

T, 


^6 

:= gs_line(s, v c , Vj, — 1 ); 



V 7 

:= gs_line(s, v 0 , Vj, — 1); 



endif 





C = {gsmin, gsmax}; 

for i = 1 to | V| do 

if Vi( x ,y) 7 ^ 0 and gsmin < ||Vj( Xiy )|| < gsmax then 
C := £U{||F i( ., y) ||}; 

endif 
endf or 

L„ gs := sort(£); 

Theorem 36 (Correctness of gsJbands). The ground speed prevention bands algo- 
rithm gsJbands is correct for v gs over the interval [gsmin, gsmax\. 

Proof. The first step in the proof is to consider the special case where Hs^ ^H > D , 
y i(x,y) • y o{x,y) = 0 ? and y o( x ,y) ' tangent_line(s , = 0. This case is handled 

separately because it is explicity excluded from the hypotheses of Theorem 31. In 
this case, it can be proved that the vectors tangent_line(s,£)( x>2/ ), v Q ( x ,y)i and 
Vi( Xi y) are all co-linear. 

To prove correctness of the algorithm for the special case, it suffices to show that 
if p G [gsmin, gsmax], then conflict?(s, is gs (p) — v^) does not hold. Since z/ gs (p) is a 
ground speed maneuver of v 0 , both vectors point in the same direction. Therefore, 
v gs (p)(x,y)~ v i(x,y) ls als° co-linear with tangent_line(s, s)^ x y y The trajectory from 
along Vg S (p)(x.y) ~ v i{x.y) therefore tangent to the circle of radius D around 
the origin and is never in horizontal conflict. 

In the general case, suppose that it is not true that Hs^ || > D, ^i{ x ,y) ' y o(x,y) — 
0, and v 0 (x,y) m tangent_li ne(s,£) ± ^ x ,y) = 0- I 11 this case, by Theorem 2 in Sec- 
tion 2.5, it suffices to prove that the function f l u , where v — i/ gs , satisfies the 
following two properties. 

1. For all ground speeds p G [gsmin, gsmax], 

Ptv(p) < 1 conflict?(s,v gs (p) - Vi). 
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2. For all ground speeds p E [gsmin, gsmax\, 

= 1 => P G gs_bands(s, v Q , Vj). 

The first of these properties follows immediately from Corollary 7 in Section 3.3. All 
that is left to verify is the second property, the proof of which is identical in form 
and substance to the general case of the proof of Theorem 29 in Section 5.5. □ 

7 Vertical Speed Prevention Bands 

This section presents a formally verified algorithm, namely vs_bands, for vertical 
speed prevention bands over an arbitrary interval [vsmin, vsmax ] for the function 
R — ► R 3 , defined by Equation (5) in Section 2.2. The boundaries of the inter- 
val, vsmin and vsmax , represent minimum and maximum vertical speeds for the 
ownship aircraft, respectively. Given vectors s, v 0 , and v*, this algorithm computes 
vertical speed maneuvers, i.e., vectors that satisfy v'^) = v 0 ( x , y )- 

The definition of vs.bands depends on the algorithm vs.circle, which computes 
vertical speed maneuvers that are 3D circle solutions and vertical solutions. This 
algorithm is proved to be complete for vertical speed maneuvers. The correctness 
of vsJbands depends on the completeness of vs_circle. 

By the definition of circle.case.3D? in Equation (21), circle.case.3D?(s,v,t,L) 
implies vertical.case?(s z , v z , t, — t) and circle.case.2D?(s,v,t, l ) for any t E R and 
t = ±1. Thus, an algorithm for computing 3D circle solutions for vertical speed ma- 
neuvers will also compute vertical solutions and 2D circle solutions. If vertical.case?( s z , v z ,t,—i) 
holds, then \s z + tv z \ = and therefore there is some £ = ±1 such that s z + t\ z = 
sH. The function vs_at, defined below, takes as parameters s 2 , a nonzero real 
number t, and £ = ±1. It returns the real number \ z such that s z + tw z = s H. 

/ x zH — s 2 , _ 

vs_at(s 2 , £, s) = . (52) 

Lemma 37. If v z is a real number , then s z + t\ z — eH if and only if 

v 2 = vs-at(s z ,t,£). 

The next lemma states that the function vs_at can be used to compute vertical 
solutions. The proof follows from Equation (19) and Lemma 37. 

Lemma 38. Ift>0 and vertical.case?(s z ,v z ,t,—l) holds , then 

\ z = vs.at(s z ,t , sign(s z )) 


7.1 3D Circle and Vertical Solutions For Vertical Speed Maneuvers 

The algorithm vs_circle, defined in this section, takes as parameters s, v G , v*, 
£, and £ = ±1. It returns a vector V Q that is either the zero vector or is equal 
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to z/ vs (r) f° r some r E R such that the relative vector v = — v* satisfies 

circle-case-3D?(s,\ l). The main theorems in this section state that vs_circle 
computes all 3D circle solutions and all vertical solutions that are vertical speed 
maneuvers. 

Suppose that A(s, — v$) > 0 and circle_case_3D?( s, v' Q — v*, t , t) holds, where 
Y o(x,y) — v o( x ,y) an d v oz = r * It is easy to prove that A(s,v 0 — v;) > 0 implies 
v 0 ( Xi y) / v i(x,y)- Since A(s, v 0 — v*) = A(s, — v*), Corollary 14 in Section 4.6 
implies that t = ©£)(s, v 0 — v*, l). Since vertical_case?(s z , (r — v^), f, — ^) holds, there 
is some £ = ±1 such that 

Sz + ©d(s, v G - Vi,i) ( r - v iz ) = £#. (53) 

Since ©£>(s, v 0 — v*, t) > 0, the following equivalence holds. 

r = Vi z H = ss z . 

Suppose that H ^ £s z . Multiplying both sides of Equation (53) by £ and applying 
the fact that s 2 = 1 yields 

SS Z + ©d(s, V G - \i,i)E(r - v iz ) = H. 

Since ©£>( s, v 0 — Vi,i) > 0, it follows that 

- sign(e (r - v iz )) = sign(ss 2 - H). (54) 

Since verticaLcase?( s z , (r — v^), ©£>(s, v g — V;, *,), —l) holds, 

-t (s* + ©d( s, v 0 - t)(r - v <z )) (r - v iz ) > 0. 

It therefore follows from Equation (53) that —teH(r — V{ z ) > 0. Since H > 0 and 
v / v* z , basic arithmetic manipulations can be used to deduce that 

-sign(s(r- v <z )) = l. (55) 

Putting equations (54) and (55) together, the following equality holds. 

sign(£s z — H ) = l (56) 

This equation is used to select the appropriate choice of t in the algorithm vs_circle, 
defined below in Equation (52), even in the case where ss z = H. It follows from 
Lemma 37 that 

r = v iz + vs_at(s 2 , O d ( s, v Q - i), e). (57) 

This equation also appears in the definition of vs_circle, which is given below. It 
returns a vector G M 3 such that either v' 0 ^ x y ^ = v 0 ^ x y ^ or v' Q = 0. 
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vs_circle(s, v 0 , v^, t, s) = 
if A(s, v 0 — v*)<0 then 

if es z > H and t > 0 then 

Vo(x,y) with [ z *- + vs_at(s z , t, e)] 

else 

0 

endif 

else 

let 

©_i = ©d(s, Vo - Vi, -1), 

0+1 = 0d(s,v o - Vi,l), (58) 

T~min = min(i, ©d(s, v g - v i} 1)) 

in 

if ss z < H and Hs^ ^H > D then 

Vo(x,y) [z <— Viz + vs_at(s z , 0-1,6:)] 

elsif ss z > H and T m i n > 0 then 

Vo(x,y) with [ z <- Viz + VS_at(s 2 ,T m ; n ,£)] 

else 

0 

endif 

endif 

The completeness of vs_circle for 3D circle and vertical solutions follows from 
its definition, Lemma 38, and properties of the function presented in Section 4.6. 

Theorem 39 (Completeness of vs_circle for 3D Circle Solutions). If v' 0 ^ x y ) = 
v 0 ( x ,y)> A(s, v Q — Vi) > 0, l = ±1, t > 0, circle_case_3D?( s, — v^f', l), for some 

t' G R, and either l = —1 or ©£>( s, v q — v^, 1) < t, then 

v 0 = vs^circle(s 1 v 0 , v*,i,e), 


for some £ = ±1. 

Theorem 40 (Completeness of vs.circle for Vertical Solutions). If v f Q ^ xy \ = 
Vo( x ,y)> verticdLcase?{ s z ,v f oz — v^,f, — 1), and either A(s,v 0 — v*) < 0 or t < 
&d{ s, V 0 - Vi , 1), then 


v' Q = vs_circle(s,v 0 ,Vi,t,£), 


for some £ = ±1. 
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7.2 A Prevention Bands Algorithm For Vertical Speed Maneuvers 

The prevention bands algorithm vsJbands for the function v w s : R 3 that com- 

putes a sorted sequence L Uvs is defined in a similar way to the previous algorithms 
trackJbands in Section 5.5 and gsJbands in Section 6.4. 

vsJbands (s, v D , v*) = 

Vo := vs_circle(s, v 0 , Vi,T, — 1); 

Vi := vs_circle(s, v 07 v*,T, 1); 

C = {vsm, in, vsmax}', 
for i = 1 to \V\ do 

(59) 

if , y ) + 0 and vsmin < V{ z < vsmax then 
£ := £U{V iz y, 

endif 
endf or 

L Uvs := sort(£); 

Theorem 41 (Correctness of vsJbands). The vertical speed prevention bands algo- 
rithm vsJbands is correct for v vs over the interval [vsmin, vsmax\. 

Proof. By Theorem 2 in Section 2.5, it suffices to prove that the function S2*,, where 
v — is vs , satisfies the following two properties. 

1. For all vertical speeds r G [vsmin, vsmax], 

Jl u (r) < 1 conflict?(s, v vs (r) — v^). 

2. For all vertical speeds r G [vsmin, vsmax], 

^(r) = 1 => r G vs .bands ( s, T, v 0 , v^. 

The first of these properties follows immediately from Corollary 7 in Section 3.3. To 
prove the second property, suppose that r G [vsmin, vsmax] and Pl v {r) — 1, where 
v — z/ vs - Since fi^r) = £2(s, — Theorem 9 implies that one of the following 

conditions holds, where v = ^Vs(r) — v;. 

• || s (x,i/)|| > D and either line_case?( s,v, — 1) or line_case?( s,v, 1). 

• |s z + T\ Z | < H and circle_case_2D?(s, v, T, — 1). 

• There is some real number t > 0 such that either circle_case-3D?( s, v, t, l), for 
some t = ±1. 


• ll s (x.y) +^ v Jr, 2 /)|| < D and verticaLcase?(s z , v z , T, — 1). 

In either of the first two cases, it can easily be shown that conflict ?(s, i/ YS (x) — v*) 
does not hold for any x G R. In this case, by Definition 2 in Section 2.4, it follows 
that the prevention bands algorithm vsJbands is correct for v vs over [vsmin, vsmax]. 
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The latter two cases are considered individually. For the rest of the proof, it is 
assumed that A(s, v 0 — v*) > 0. The proof in the case where A(s, v G — v*) < 0 is 
left to the reader. Since A(s, v 0 — v*) > 0, it is easy to prove that v 0 ( x ,y) i 1 V i(x,y)- 

Suppose that there is some real number t > 0 such that circle_case^3D?( s, v, t, l), 
where l = ±1. By the definition of circle_case_3D? (Equation (21) in Section 4.3) 
and Corollary 14 in Section 4.6, it follows that t = ©£>(s, v q — v*, l). By Theorem 39 
in Section 7.1 (completenes of vs_circle for 3D circle solutions), if either l = — 1 
or ©d(s, v 0 — v*., l) < T, then z/ V s(r) is equal to vs_circle(s, v G , v*,T, e), for some 
e = ±1. Thus, r G vs_bands(s, T, v 0 ,vi). Alternatively, if l = 1 and ©£>(s, v 0 — 
Vi, 1) > T, it can be proved from the definition of the function that > 1, 

a contradiction. 

Finally, suppose that ||s( X(2/ ) +Tv( XiV )\\ < D and verticaLcase?(s z , v z , T, — 1). 
The proof in this case is similar to the case above. By Theorem 40 in Section 7.1 
(completeness of vs_circle for vertical solutions), if T < ©d(s, v 0 — v^,l), then 
i/ vs (r) is equal to vs_circle(s, v 0 , v^, T,e), for some e = ±1. Thus, it holds that 
r G vs_bands(s, T, v 0 , vi). Alternatively, if T > ©d(s, v 0 — v;, 1), it can be proved 
that ^(r*) > 1, a contradiction. □ 


8 Conclusion 

In [3], Maddalon et al. present, without verification, 3D algorithms for track angle, 
ground speed, and vertical speed prevention bands. Formal verification of horizontal 
versions of these algorithms was presented in [2]. This paper provides correct ver- 
sions of the algorithms presented in [3], namely trackJbands (Section 5.5), gs_bands 
(Section 6.4), and vs_bands (Section 7.2). The correctness of these algorithms has 
been formally verified using the PVS theorem prover. 

Although this paper focuses on track angle, ground speed, and vertical speed 
prevention bands, the techniques presented here applied to arbitrary conflict pre- 
vention bands algorithms that are based on state information. More precisely, given 
a function v : R — > R 3 and an interval I cR, Section 2.5 describes a general strategy 
that can be followed to prove that a given prevention bands algorithm is correct. 
In fact, Section 3 develops the theory of a universal function that can be used as 
a tool in the verification of prevention bands algorithms for many different choices 
of v. 
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